nodepool-builder: Add webserver

This adds the webserver that serves the logs and generated images. Change-Id: I230f5291e0bd928af2e00966d76c3f385b749cb6
3 years ago · b1bfee423b
parent 1979d6b160
commit b1bfee423b
9 changed files with 124 additions and 2 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -841,6 +841,7 @@
          label: ubuntu-bionic
    vars:
      run_playbooks:
+        - playbooks/service-letsencrypt.yaml
        - playbooks/service-nodepool.yaml
        - playbooks/remote_puppet_else.yaml
    files:
--- a/inventory/groups.yaml
+++ b/inventory/groups.yaml
@ -65,15 +65,16 @@ groups:
  kubernetes:
    - opendev-k8s*.opendev.org
  letsencrypt:
+    - files[0-9]*.open*.org
+    - gitea[0-9]*.opendev.org
    - graphite01.opendev.org
    - insecure-ci-registry[0-9]*.opendev.org
    - mirror[0-9]*.opendev.org
-    - files[0-9]*.open*.org
+    - nb[0-9]*.opendev.org
    - review-dev[0-9]*.open*.org
    - review[0-9]*.open*.org
    - static.openstack.org
    - static[0-9]*.opendev.org
-    - gitea[0-9]*.opendev.org
    - zuul[0-9]*.open*.org
  logstash:
    - logstash[0-9]*.open*.org
--- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
+++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
@ -171,6 +171,9 @@
 - name: letsencrypt updated gitea99-main
  include_tasks: roles/letsencrypt-create-certs/handlers/restart_gitea.yaml

+- name: letsencrypt updated nb01-test-main
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
 # We split out handlers for each gitea host as handlers should be run in order
 # This allows us to do a rolling restart of the gitea backends.
 - name: letsencrypt updated gitea01-main
--- a/playbooks/roles/nodepool-builder/handlers/main.yaml
+++ b/playbooks/roles/nodepool-builder/handlers/main.yaml
@ -0,0 +1,4 @@
+- name: restart apache2
+  service:
+    name: apache2
+    state: restarted
--- a/playbooks/roles/nodepool-builder/tasks/main.yaml
+++ b/playbooks/roles/nodepool-builder/tasks/main.yaml
@ -10,6 +10,9 @@
    - '/opt/nodepool_dib'
    - '/var/log/nodepool/builds'

+- name: Setup webserver
+  include_tasks: webserver.yaml
+
 - name: Ensure /etc/nodepool-builder-compose directory
  file:
    state: directory
--- a/playbooks/roles/nodepool-builder/tasks/webserver.yaml
+++ b/playbooks/roles/nodepool-builder/tasks/webserver.yaml
@ -0,0 +1,33 @@
+- name: Install Apache
+  package:
+    name:
+      - apache2
+      - apache2-utils
+    state: present
+
+- name: Apache 2 ssl module
+  apache2_module:
+    state: present
+    name: ssl
+
+- name: Rewrite module
+  apache2_module:
+    state: present
+    name: rewrite
+
+- name: Create virtualhost
+  template:
+    src: vhost.conf.j2
+    dest: /etc/apache2/sites-available/001-nb.conf
+
+- name: Disable default site
+  command: a2dissite 000-default.conf
+  args:
+    removes: /etc/apache2/sites-enabled/000-default.conf
+
+- name: Enable mirror virtual host
+  command: a2ensite 001-nb
+  args:
+    creates: /etc/apache2/sites-enabled/001-nb.conf
+  notify:
+    - restart apache2
--- a/playbooks/roles/nodepool-builder/templates/vhost.conf.j2
+++ b/playbooks/roles/nodepool-builder/templates/vhost.conf.j2
@ -0,0 +1,61 @@
+<VirtualHost *:80>
+  ServerName {{ inventory_hostname }}
+
+  ErrorLog /var/log/apache2/nodepool_error.log
+  LogLevel warn
+  CustomLog /var/log/apache2/nodepool_access.log combined
+  ServerSignature Off
+
+  Redirect / https://{{ inventory_hostname }}/
+
+</VirtualHost>
+
+
+<VirtualHost *:443>
+  ServerName nb01.openstack.org
+
+  SSLEngine on
+
+  SSLCertificateFile      /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer
+  SSLCertificateKeyFile   /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer
+
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+  DocumentRoot /var/log/nodepool/builds
+  <Directory /var/log/nodepool/builds>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Require all granted
+  </Directory>
+
+  # Allow access to image files
+  Alias /images /opt/nodepool_dib
+  <Directory /opt/nodepool_dib>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Require all granted
+    # Only allow access to the qcow2 files as they are smallest
+    <FilesMatch ".+\.(vhd|raw)(\.(md5|sha256))?$">
+      Require all denied
+    </FilesMatch>
+  </Directory>
+  # Exclude the dib build dir as well.
+  <Directory /opt/nodepool_dib/*.d/>
+    Require all denied
+  </Directory>
+
+  AddType text/plain .log
+  <IfModule mod_deflate.c>
+      SetOutputFilter DEFLATE
+  </IfModule>
+
+  ErrorLog /var/log/apache2/nodepool_error.log
+  LogLevel warn
+  CustomLog /var/log/apache2/nodepool_access.log combined
+  ServerSignature Off
+
+</VirtualHost>
--- a/playbooks/zuul/templates/host_vars/nb01-test.opendev.org.yaml.j2
+++ b/playbooks/zuul/templates/host_vars/nb01-test.opendev.org.yaml.j2
@ -1 +1,5 @@
+letsencrypt_certs:
+  nb01-test-main:
+    - nb01-test.opendev.org
+
 nodepool_base_install_zookeeper: True
--- a/testinfra/test_nodepool.py
+++ b/testinfra/test_nodepool.py
@ -38,3 +38,15 @@ def test_builder_container_running(host):

    cmd = host.run("podman ps -a --format '{{ .Names }}'")
    assert 'nodepool-builder-compose_nodepool-builder_1' in cmd.stdout
+
+def test_builder_webserver_running(host):
+    if host.backend.get_hostname() != 'nb01-test.opendev.org':
+        pytest.skip()
+
+    apache = host.service('apache2')
+    assert apache.is_running
+
+    cmd = host.run('curl --insecure '
+                   '--resolve nb01-test.opendev.org:443:127.0.0.1 '
+                   'https://nb01-test.opendev.org/')
+    assert 'Index of /' in cmd.stdout